External Network Security

CPS 411, Essentials: IT Network Practitioners, Darren Dayton

Boise State University [email protected]

Boise, Idaho 9/29/2024

Abstract— This paper is an attempt to introduce current security concerns about

external and/or cloud applications, including any mitigating factors or strategies to combat

bad actors.

Index Terms- cloud, external, breach, mitigation, security

I. INTRODUCTION

Increasing use of cloud solutions

introduces increasing risks of security

breaches. More and more companies are

moving to a cloud computing strategy, and

while this is an excellent use of resources, it

limits their ability to control, and therefore

secure, their information. This paper will

Figure 1: Change in threats between ’22 and ‘24
rank the top five threats in this regard, and
The threat of misconfigured services,
any mitigating factors that exist.
and by extension misconfigured public-
II. MISCONFIGURATION
facing security, has both taken over the top
Let’s start with a graphic.
spot from years past, and increased the
likelihood of more incidents because of As an example, in May of 2023,

more lax security. This is a hole in the wall DarkBeam, which is a managed cloud

that the attackers can just walk into any time protection service and digital risk protection

they want, and thus it must be mitigated. firm, accidentally left an ElasticSearch and

The question becomes “How do we Kibana interface unguarded, which exposed

fix this?” and in the short term the answer is over 3.8 billion records that the company

to patch the holes, tighten up the security, was ironically collecting so as to inform

and be vigilant. However, this doesn’t clients if they had been breached. Needless

diagnose the problem, it just masks the to say, it doesn’t matter how good you are at

symptoms. this, human error wins out sometimes.[1]

The best mitigation for III. IDENTITY/ACCESS MANAGEMENT

misconfigured cloud settings is training. Access management is an incredibly

Understanding that cloud architecture important security point to consider. If you

requires specific and different techniques for do it improperly you either cannot access

security than a standard network is a great information you should be able to access, or

starting point, and there are other things that other that should not be able to access said

can assist, such as audits and risk information can access it. Either way will

assessments, unauthorized change cause an interruption to business, and as

protection, change restoration, etc. However, such needs to be handled carefully.

correctly training people to understand and This can also cause other issues,

configure cloud services properly is the only such as data loss or disclosure, system

way to ensure that misconfigurations don’t outage, and even reputational losses. So, to

keep happening.
mitigate these issues, we need to have solid unspecified amount of customer records and

access management. information. Continuous review, monitoring,

The best ways to keep access to only and audits, as well as maintaining secured

those who need it, which also requires the sites to host sensitive data, are what could

identification of said persons, are techniques have saved the day here. [1]

such as exemption management, correct data IV. INSECURE INTERFACES/APIS

classification, vulnerability prioritization, On the face of it, interfaces and APIs

user access review, and the principle of least are items that only require securing

privilege. sometimes. It depends on a number of

Least privilege of course leads us factors, including what data you are dealing

into zero trust architecture, which in general with, how it is stored and accessed, etc.

will be the best way to go about protecting However, this couldn’t be further from the

systems and mitigating most of the issues truth: insecure interfaces and APIs are some

pointed out in this paper. Here’s a simple of the easiest and most widely used access

graph to visualize it. points for bad actors in a number of

enterprises, including identity theft,

information brokerage, corporate espionage,

Figure 2: Zero Trust Access[2]
intellectual property theft, and many more.
As an example, a company named
Interfaces should remain secure at all
Okta, which handles identity and
times in a properly maintained zero trust
authentication services, was hit in October
system, so much of the work there should
of 2023 with a data breach in which a bad
already be done (disable interfaces not in
actor with stolen credentials accessed its
use, make sure only authorized
case management system, gaining an
users/machines can access and use them, For mitigation purposes, rate

etc.). However, APIs are where it gets limiting, changing identification tokens to

tricky. Here is a quote that highlights this something with shorter lifespans and

issue: automatic timed rotations, MFA, and other

such measures are the best currently

"As organizations are securing their web
available.
applications, they can't forget about their

APIs," says Forrester analyst Sandy Carielli. For an example, Trello, a site for

"Security pros must specifically build in API managing and organizing boards (think a

security and not assume that it's rolled into chores list, who is assigned and for what)

their existing web application was attacked earlier this year when a public

protections."[3] API that matched an already existing email

database with Trello accounts was found.

APIs don’t have standard protection
The user data of over 15 million users was
protocols built into them like most programs
leaked and subsequently sold on the Dark
do. And we security people haven’t been the
Web.[1]
only ones to notice. Gartner, a large

technological and information research firm V. INADEQUATE CLOUD

SECURITY STRATEGY
known for their accurate predictions (to the
Having a robust cloud security
tune of their current net worth being nearly
strategy is important to security, of course,
$6 billion dollars) claimed in 2021 that by
but having it available at the start of the
the next year API attacks would be the most
enterprise, in order to help guide and design
attacked vector in enterprise data breaches.
the enterprise, is equally vital. Designing
[3] Three years later, and we can still see
cloud security systems with a weak or non-
this plainly happened. [4]
existent plan is one of the best ways to get
your data stolen, and to have multiple you start designing the network or cloud or

recurring incidents. API, and that the plan in question addresses

elements like what are shown in Figure 3.

It’s rather basic, but surprisingly effective

and important.

An example of this not being done

properly is in June 2023 when JumpCloud

was hacked by a spear phishing attack aimed

at one of their engineers. There were many

failures, including security training,

Figure 3: Elements of Cloud Security Strategy[5]
reporting, and auditing, but most if not all of
This chart from an article on Sentra’s
the issues involved would have been made
website identifies multiple elements to
far easier and more secure if there was a set
address when creating a cloud security
plan laid out that was then followed. [1]
strategy, which includes many of the things
VI. INSECURE THIRD PARTY
discussed so far in this paper. However, in RESOURCES

this case it isn’t any one thing that needs to Third party resources are by far the

be done, or secured better, other than the hardest item in this list to secure, in my

actual creation of a plan. The only real opinion, because you do not have access to

problem this idea addresses is what to do to what you need in order to secure them. In

avoid creating more chaos, and therefore that way, this could be considered a supply-

more security issues and blind spots. chain attack, with all the attendant problems

The mitigation here is actually that entails.

simple: make sure you have a plan before

 According to an article from 2020 create. However, due diligence would be to

about third party and supply-chain attacks, identify and use companies that are known

Ohio State University researchers for secure products, or at least not known to

determined that a full two thirds of breaches have been breached, to examine the product

were due to third party or supplier with SCA, or software composition analysis,

vulnerabilities. [6] This is concerning on that can help identify critical issues before

multiple levels, as it demonstrates that not users are breached by them, performing

only is there a large vulnerability that is reviews of access grants to critical

being glossed over, if not outright ignored, components like infrastructure, high-impact

but it also shows us that we haven’t been individual applications, or code repositories,

learning from our mistakes, as this is still and work with the companies you’ve

happening. identified to ensure that they have the

training and tools to perform application

As an example, in April of 2024,
security testing on their product. [1]
meaning merely five months ago, there was

a notable uptick in breaches focused on VII. CONCLUSION

suppliers, including credential theft, denial There are many considerations when

of service, data theft, software or firmware looking into cloud and external resources for

tampering, and even attempts to tamper with your company, and the burden of security,

the vendor’s service or product directly as always, falls on you. There are no

before it gets to the customer. [1] guarantees of security, but by doing the

work and examining the factors you can

There are not a lot of mitigations that
ensure that you are a far harder target to hit
can be made here, of course, as this is a
than would be the case otherwise.
product you do not control and did not
 REFERENCES

[1] CSA Top Threats Working Group, “Top Threats to Cloud Computing 2024 | CSA,”
Cloudsecurityalliance.org, Aug. 05, 2024. https://cloudsecurityalliance.org/artifacts/top-threats-
to-cloud-computing-2024 (accessed Sep. 29, 2024).
[2] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “Zero Trust Architecture,” Zero Trust
Architecture, vol. 800–207, no. 800–207, Aug. 2020, doi: https://doi.org/10.6028/nist.sp.800-
207.
[3] ISC2, “The Threat of Insecure Interfaces and APIs | ISC2 Article,” www.isc2.org, Oct. 07,
2021. https://www.isc2.org/Insights/2021/10/the-threat-of-insecure-interfaces-and-apis (accessed
Sep. 29, 2024).
[4] A. Cameron, “Gartner predicted APIs would be the #1 attack vector - Two years later, is it
true?,” Att.com, May 25, 2024. https://cybersecurity.att.com/blogs/security-essentials/gartner-
predicted-apis-would-be-the-1-attack-vector-two-years-later-is-it-true#:~:text=Now%2C%20two
%20years%20and%20a%20number%20of%20notable%20breaches%20via%20APIs%20later
%2C%20it%E2%80%99s%20hard%20(or%20rather%2C%20impossible)%20to%20dispute
%20this. (accessed Sep. 29, 2024).
[5] D. Suissa, “Cloud Security Strategy: Key Elements, Principles & Challenges,”
www.sentra.io, Sep. 08, 2024. https://www.sentra.io/learn/cloud-security-strategy (accessed Sep.
29, 2024).
[6] S. Carter, “Hackers Putting Global Supply Chain at Risk,”
www.nationaldefensemagazine.org, Jul. 02, 2020.
https://www.nationaldefensemagazine.org/articles/2020/7/2/hackers-putting-global-supply-
chain-at-risk (accessed Sep. 29, 2024).